00. Security Researchers Targeted in a Spear Phishing Campaign - An Analysis 


We’ve become recently aware of a targeted spear phishing and actual client-side 
exploits dropping malicious campaign targeting legitimate security researchers by 
approaching them personally or using social media in an attempt to entice them into 
verifying the validity of a supposedly newly discovered and recently launched Zero Day 
flaw which in reality once executed drops malicious software on the hosts of the 
affected researchers and we've decided to research even further and offer practical and 
relevant including actionable intelligence on the campaign’s infrastructure for the 


purpose of assisting fellow researchers and the industry on its way to track down and 
monitor the campaign. 


In this analysis we'll take a closer look at the campaign and provide actionable 
intelligence on the infrastructure behind it and discuss in-depth the TTPs (Tactics 
Techniques and Procedures) of the cybercriminals behind it. 
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Screenshot of the fake security company Web site generated by WhoisXML API’s 
Screenshot Generation Service 


Official rogue security research Web site’s responding IPs: 


- hxxp://193.29.57.231 
- hxxp://68.65.122.10 


Sample malicious domains including C&C phone back locations known to have 
participated in the campaign: 
e angeldonationblog.com 
e codevexillium.org 
e investbooking.de 
e krakenfolio.com 
e opsonew3org.sg 
e transferwiser.io 
e Transplugin.io 
e trophylab.com 
e colasprint.com 
e dronerc.it 
e edujikim.com 
e fabioluciani.com 
e bestwing.org 
e codebiogblog.com 
e coldpacific.com 
e cutesaucepuppy.com 
e devguardmap.org 
e hireproplus.com 
e hotelboard.org 
e mediterraneanroom.org 
e redeastbay.com 


e regclassboard.com 


e securielite.com 
e spotchannel02.com 


e wileprefgurad.net 
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Sample Screenshot of a sample malicious MD5 that’s known to have phoned back to one 


of the C&C infrastructure domains 
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Chrome_85_RCE_Full_Exploit_Code... 


Sample Screenshot of a sample malicious MD5 that’s known to have phoned back to one 


of the C&C infrastructure domains 
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Sample Screenshot of a sample malicious MD5 that’s known to have phoned back to one 


of the C&C infrastructure domains 
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Sample Screenshot of a sample malicious MD5 that’s known to have phoned back to one 


of the C&C infrastructure domains 
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Sample Screenshot of a sample malicious MD5 that’s known to have phoned back to one 


of the C&C infrastructure domains 
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Sample Screenshot of a sample malicious MD5 that’s known to have phoned back to 


one of the C&C infrastructure domains 


Sample malicious and rogue IPs known to have responded to the same malicious and 


fraudulent domains part of the campaign: 
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Related malicious MD5s known to have phoned back to the same malicious 


infrastructure or have participated in the campaign: 


6f0472278d265d581aa291792a34c7fcbdce8e95b94c0e45e52c23c7c4a2e057 


€€3125384833c72867d1 6al1 abf5b833d8aede46a560a605fd20ec1 f63805acfc 


8184b3d09c1 fb015c7829efad731 0eefc8da7804d578ccb1 0f15301cbb957e6a 


e€4030770c5d6671c5e4b57cb21e99e22407b25e0077f5ddca494561c6c3703be 


668493ea5a263986d42f696f809f43e9cee7b6551 92248d1 863c765e259b64a7 


a4d413cab72b17f19a26ea2281d6c896aabd25e4e63dc0fc826ec2b1 f8c2b46c 


5dc0eb68a99e4b945641 b33fcca2c4ad3b3f67179006d2a974a605ced2483894 


cd16cb61dc5eac8e5c00a6ce22al 958fa9ba4da668c3b9578cad45a0ef7ca332 


8b1cdfb26d6f128b147da61decdbc3e9e641 6c65b8c 70ec0a6d028cb7b2454be 


aba56831029c8f89b3aaf697959c01 bfcf546969ff79cb6ee848e275b84214393 


4ff241b82b67e56611ac7a768ddb061 3af9f6d55afa4034246a5a3ed4a3f157e 


e6d9f4fb90F4127f2b6f123692583827072529391 ae2ebObf9f83711525c5e21 


8e896c58a8d54b5773782a8dd93529c842ed27f6a9dbbe32afdd0ea98b58dbd1 


Oe8ada682fc995c766 7ef3 0fd6f00fccb3cfceded91 9ff535bd4d954ff3140b8 


99d4884921df6b98cf3ca2aa131b4cal1aad7961ad5b0552167de684e0333df89 


bcOc5d8bf40673200246137927121b738190043a5ded8c1 3cfb0ed92340dd5eb 


066623257995233ed8833d2681ce23032067b23422053ac1 0c9f7ff6c2a56e9f 


9ffb8ce09d03702cce1 0c73126aa71d87f82ed951001c75d21c29633b7c8879F 


b3880aa40a577e8f230912888647 1 8ddfacd8789a927730eba6/e65bc3da224f 


a882cea7addb1d379c8b551 48b9e51 646983620b2fb9366573al 13c76a347672 


095c601b8da5634b7633cdb7ed039dfb5cd4eb19e076c1 1 9d0a0abb84bec90e7 


a23c44799e8274270cd2664ac9a3cSabel 7461 f4f13e4625e0886c1 2df1128a3 


5c6f22baab3c51 231621 1e25428f3b33f30800fd97e7 1 40bd6b0bc4fee82bcab 


We'll continue monitoring the campaign using WhoisXML API's infrastructure for 
domain and registrant monitor and will issue an update as soon as new developments 


take place. 


